Mozilla Foundation Security Advisory 2011-34

Protection against fraudulent DigiNotar certificates

Announced

August 30, 2011

Impact

High

Products

Firefox, Firefox Mobile, SeaMonkey, Thunderbird

Fixed in

Firefox 3.6.21

Firefox 6.0.1

Firefox Mobile 6.0.1

SeaMonkey 2.3.2

Thunderbird 3.1.13

Thunderbird 6.0.1

Description: Google Chrome user alibo
encountered an active "man in the middle" (MITM) attack on secure SSL
connections to Google servers. The fraudulent certificate was mis-issued by
DigiNotar, a Dutch Certificate Authority. DigiNotar has reported evidence
that other fraudulent certificates were issued and in active use but the full
extent of the compromise is not known.

For the protection of our users Mozilla has removed the DigiNotar root
certificate. Sites using certificates issued by DigiNotar will need to
seek another certificate vendor.

Mozilla thanks Google, Inc. for reporting this issue to us. We also
thank Marien Zwart (Mozilla Localization), Ot van Daalen (Bits of Freedom),
and Erik de Jong (GovCERT) for their help.